CAS (Central Authentication Service) with LDAP installation tutorial

The Central Authentication Service (CAS) is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials (such as userid and password) only once. It also allows web applications to authenticate users without gaining access to a user’s security credentials, such as a password. The name CAS also refers to a software package that implements this protocol. – From Central Authentication Service - Wikipedia

CAS protocol 1

It involves one or many clients and one server:

  • The CAS server is responsible for authenticating users and granting accesses to applications

  • The CAS clients protect the CAS applications and retrieve the identity of the granted users from the CAS server.

Web flow diagram

Web flow diagram

CAS Clients 2

The CAS client will communicate with the CAS Server, it will be responsible to provite authentication to your application. So, it should be integrated somehow inside your application.

From the list of the available clients, you should pick the one that best suits your needs:

NOTE: if building status is failing, you might not be able to use it.

Apache CAS Client 3

Due to simplicity, Apache CAS Client might be the simplest starting point to test CAS.

On Debian, install libapache2-mod-auth-cas (CAS authentication module for Apache2):

sudo apt-get install libapache2-mod-auth-cas apache2

After installing, the module should be automatically activated. You need to set a few required parameters in your Apache configuration. That could be done in the file /etc/apache2/mods-enabled/auth_cas.conf (change it accordingly):

CASCookiePath /var/cache/apache2/mod_auth_cas/
CASLoginURL https://login.example.org/cas/login
CASValidateURL https://login.example.org/cas/serviceValidate

Protect a Location or Directory block in your Apache configuration:

<Location /secured>
    Authtype CAS
    require valid-user
</Location

Then, restart apache:

sudo service apache2 restart

CAS Server 4

The CAS Server is deployed via WAR file into a servlet container.

There is no officially supported servlet container for CAS, but Apache Tomcat is the most commonly used. The following servlet containers are known to work well:

Installation

You can install Tomcat with:

sudo apt-get install tomcat8 tomcat8-admin

In order to produce the WAR, you can use the Maven WAR overlay. This is a sample project that creates the WAR file with the CAS server.

First, you will need to install Maven and Git:

sudo apt-get install maven

Now, you have to clone the repository https://github.com/Jasig/cas-overlay-template:

git clone https://github.com/Jasig/cas-overlay-template.git

Then build the project:

cd cas-overlay-template
./mvnw clean package

After the package have been created, it’s time to deploy it in the server. If the process is successful, you should have the file target/cas.war

On Tomcat, you can copy the file to Tomcat’s webapps folder:

sudo cp target/cas.war /var/lib/tomcat8/webapps/

Or, you can access the URL http://localhost:8080/manager and deploy the server trough the section WAR file to deploy.

Now, test the newly deployed server http://localhost:8080/cas

Configuration

There are plenty of options to CAS server to work with. Check out in Authentication Handlers.

The option we are going to use is LDAP. It is widely used and many applications are already integrated with this service.

Configuration with PostgreSQL database 5

First, install the PostgreSQL database server and client. Additionally, you can install also PhpPgAdmin:

sudo apt-get install postgresql postgresql-client phppgadmin

If you need to access to the PhpPgAdmin outside the machine where it is installed, edit the file /etc/apache2/conf-enabled/phppgadmin.conf, comment the line with Require local and restart Apache.

Then, define a password for user postgres and connect the command line client to the server as postgres user:

sudo passwd postgres
su - postgres
psql

Inside the psql client, run the following queries to create a user and a database for CAS:

CREATE USER casuser WITH PASSWORD 'casuserpass';
CREATE DATABASE cas OWNER casuser;

Quit from the database with command \q.

You can test your PostgreSQL installation from the browser in http://localhost/phppgadmin

  1. http://jasig.github.io/cas/4.2.x/protocol/CAS-Protocol.html
  2. http://jasig.github.io/cas/4.2.x/integration/CAS-Clients.html
  3. https://github.com/Jasig/mod_auth_cas
  4. http://jasig.github.io/cas/4.2.x/planning/Installation-Requirements.html
  5. https://wiki.debian.org/PostgreSql